Re: Snort and my VLANs

[Joel Esler <jesler () sourcefire com>]

Good to hear you got it!  

--  
Joel Esler
Senior Research Engineer, VRT
Open Source Community Manager


On Thursday, February 14, 2013 at 7:06 PM, Josh Bitto wrote:

> Nevermind…..I figured what I was doing wrong…..I had everything working correctly and I can trigger events….I just 
> installed a port scanner on one of the machines in a VLAN subnet and it triggered…..I’m good to go :D
>   
>   
>   
>   
> From: Y M [mailto:snort () outlook com]  
> Sent: Thursday, February 14, 2013 2:08 PM
> To: Josh Bitto; snort-users () lists sourceforge net
> Subject: RE: [Snort-users] Snort and my VLANs
>   
> In this case you would need to place sensors between vlans for vlan-to-vlan communication/detection since the traffic 
> will not be reaching the edge WAN or router interface and Snort will not be seeing the traffic. However, if a BYOD 
> is, for example, infected with a malware which may be attempting to communicate to an external IP, then it has to go 
> through the edge router and hence get detected by Snort.
>  
> This is where a distributed sensors deployment architecture would come in handy. I would suggest starting with, if 
> you have one, the servers vlan to monitor any suspicious activity going to your servers.
>  
> I hope my answer makes some sense.
>  
> YM
>  
> From: Josh Bitto (mailto:jbitto () onlineschool ca)
> Sent: ‎2/‎15/‎2013 12:57 AM
> To: snort-users () lists sourceforge net (mailto:snort-users () lists sourceforge net)
> Subject: [Snort-users] Snort and my VLANs
> I’m having issues where I am not able to determine if I can actually catch bad traffic with snort.
>   
> Right now I have snort in a test lab where I have interfaces WAN, LAN….and then my VLANS. My firewall does all the 
> routing and has the vlans setup. So when I go to testmyids.com and trigger a rule I get the rule triggered on my WAN 
> interface but not any of my VLANs……
>   
> Basically what I’m trying to initiate is if a user brings in a byod…I want to be able to detect anything on that 
> machine when it connects to my internal vlan.
>   
>  
>  
>  
> ------------------------------------------------------------------------------
> Free Next-Gen Firewall Hardware Offer
> Buy your Sophos next-gen firewall before the end March 2013  
> and get the hardware for free! Learn more.
> http://p.sf.net/sfu/sophos-d2d-feb
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>  
> Please visit http://blog.snort.org to stay current on all the latest Snort news!  

------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013 
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!